CVE-2025-39827

MEDIUM EPSS 3.2%
Published Sep 16, 20259mo ago · Modified Jun 17, 20261w ago
5.5 CVSS 3.1
Medium
Find Similar
Published Sep 16, 2025 9mo ago
Last Modified Jun 17, 2026 1w ago

Description

In the Linux kernel, the following vulnerability has been resolved: net: rose: include node references in rose_neigh refcount Current implementation maintains two separate reference counting mechanisms: the 'count' field in struct rose_neigh tracks references from rose_node structures, while the 'use' field (now refcount_t) tracks references from rose_sock. This patch merges these two reference counting systems using 'use' field for proper reference management. Specifically, this patch adds incrementing and decrementing of rose_neigh->use when rose_neigh->count is incremented or decremented. This patch also modifies rose_rt_free(), rose_rt_device_down() and rose_clear_route() to properly release references to rose_neigh objects before freeing a rose_node through rose_remove_node(). These changes ensure rose_neigh structures are properly freed only when all references, including those from rose_node structures, are released. As a result, this resolves a slab-use-after-free issue reported by Syzbot.

CVSS Details

Base Score
5.5
Exploitability
1.8
Impact
3.6
Vector string
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector Local
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality None
Integrity None
Availability High

Threat Intelligence

EPSS Exploit Probability
3.2% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Affected Products 13

VendorProductVersionRange
linuxlinux_kernel*≥2.6.12.1  –  <6.1.150
linuxlinux_kernel*≥6.2  –  <6.6.104
linuxlinux_kernel*≥6.7  –  <6.12.45
linuxlinux_kernel*≥6.13  –  <6.16.5
linuxlinux_kernel2.6.12any
linuxlinux_kernel2.6.12any
linuxlinux_kernel2.6.12any
linuxlinux_kernel2.6.12any
linuxlinux_kernel2.6.12any
linuxlinux_kernel6.17any
linuxlinux_kernel6.17any
linuxlinux_kernel6.17any
debiandebian_linux11.0any

References 7

  • cert-portal.siemens.com https://cert-portal.siemens.com/productcert/html/ssa-032379.html
  • git.kernel.org https://git.kernel.org/stable/c/384210cceb1873a4c8218b27ba0745444436b728
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/4cce478c3e82a5fc788d72adb2f4c4e983997639
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/9c547c8eee9d1cf6e744611d688b9f725cf9a115
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/d7563b456ed44151e1a82091d96f60166daea89b
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/da9c9c877597170b929a6121a68dcd3dd9a80f45
    Patch
  • lists.debian.org https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html
    Third Party Advisory

Remediation

  • git.kernel.org https://git.kernel.org/stable/c/384210cceb1873a4c8218b27ba0745444436b728
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/4cce478c3e82a5fc788d72adb2f4c4e983997639
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/9c547c8eee9d1cf6e744611d688b9f725cf9a115
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/d7563b456ed44151e1a82091d96f60166daea89b
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/da9c9c877597170b929a6121a68dcd3dd9a80f45
    Patch